how to copy the permission from on prem share folder to Azure storage bucket

N Wakchaure, Jagdish 175 Reputation points
2024-06-03T13:58:00.45+00:00

Hello Team,

We have huge share data at the on prem servers which we wanted to move on azure file share . at the same time when we are moving share data to azure file share, we want the same permission which are there on the on prem share folders. please let us how we can have permission once we move the data to Azure file share.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,425 questions
Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,541 questions
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Active Directory Federation Services
0 comments No comments
{count} votes

Accepted answer
  1. Nehruji R 8,181 Reputation points Microsoft External Staff Moderator
    2024-06-04T09:33:20.8+00:00

    Hello N Wakchaure, Jagdish,

    Greetings! Welcome to Microsoft Q&A Platform.

    Set ACLs for the Root Directory: Before copying a large number of files, configure the access control lists (ACLs) for the root directory of the Azure file share. Changes to root ACLs can take time to propagate if done after a large file migration.

    Configure Windows ACLs (NTFS Permissions): After migrating data to Azure Files, you can set up NTFS permissions just like you would for traditional file servers. These permissions operate at a granular level, controlling access at the directory or file level. Both share-level permissions and NTFS permissions are enforced when a user accesses a file or directory. If there’s a difference between them, the most restrictive one applies. For example:

    If a user has read/write access at the file level but only read at the share level, they can only read that file.

    • If a user has read/write access at the share level but only read at the file level, they can still only read the file. Ensure you have a client machine running Windows with unimpeded network connectivity to the domain controller or Azure AD if using Active Directory Domain Services (AD DS) or Microsoft Entra Kerberos.

    The permissions on the files and folders will remain when you migrate the data, the share permissions have to be configured using the RBAC roles. We have three Azure built-in roles for granting share-level permissions to users:

    Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.

    Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.

    Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable#2-assign-access-permissions-to-an-identity

    To change, add or remove security permissions on the files or folder using PowerShell you can use the Set-Acl command. The best way to set the permission is to copy the permissions from another file or folder if you need the same permissions on the destination path.

    To migrate the permissions on the files and folders, you need to use a tool like Azure Storage mover, AzCopy or Robocopy

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-migration-overview#migration-toolbox

    All of these support full fidelity copies and allow copying the folder structure. 

    Migrate to SMB Azure file shares using Azure Storage Mover | Microsoft Learn

    Migrate to Azure file shares using RoboCopy | Microsoft Learn

    Transfer data to or from Azure Files by using AzCopy v10 | Microsoft Learn

     Copying data using the migration tools is a multi-step process and involves downtime for cut over. When it comes to authentication, there are multiple authentication options supported by Azure Files, you can use Microsoft Entra Domain Services identity-based authentication

    Use Microsoft Entra Domain Services to authorize user access to Azure Files over SMB | Microsoft Learn

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.